Title: 封包方向序列:抵擋規避殭屍網路偵測系統的新特徵
The Forward-Backward String: A New Robust Feature for Botnet Detection
Authors: 蘇園翔
Su, Yuan-Hsiang
Tzeng, Wen-Guey
Keywords: 殭屍網路偵測;機器學習;規避行為;Botnet Detection;Machine-Learning;Evasion
Issue Date: 2017
Abstract: 殭屍網路至今對網路安全仍是一大威脅。研究人員希望能在殭屍網路發動攻擊前的潛伏期間就偵測出來好採取必要措施。因此偵測殭屍網路的C&C通訊是殭屍網路偵測中很重要的一環。事實上,先前利用機器學習的偵測系統已經有相當好的成效,能順利地將C&C通訊和正常流量分辨出來。然而以往方法採用的特徵集,使得這類型偵測系統長期存在一個問題。已經訓練好的分類系統在面對採取規避手段的通訊時,如攻擊者刻意加入雜訊(noise injection),隨機更動封包長度、延遲封包發送等,將使偵測效果並不如預期。 有鑑於這種情形,我們提出一個由網路流中封包方向構成的新特徵,稱之為封包方向序列。封包方向序列和以往計算傳統特徵所需的資訊相同,與封包內容無關,從封包標頭資訊便能取得。藉由提出的新特徵,讓分類器獲得更多網路流的資訊,一方面提升偵測系統之準確率,也能改善分類器對添加雜訊之C&C通訊的辨識能力。
The network threat caused by botnets still exists. In order to take proper actions, researchers want to detect botnet before it launches attacks. Therefore, detecting botnet C&C traffic plays an important role in botnet detection. In fact, the detection systems using machine-learning techniques have achieved good results. These botnet detection systems can successfully distinguish the C&C traffic from normal traffic. However, the features used in previous works have a problem. The traditional features are not robust enough. People who want to evade the detection system may add noise (randomly change payload size, inter-arrival time... etc.) into the flows so that the classifier will not work properly. In order to solve the problem, we propose a new feature called the forward-backward string from the direction of the packet. Like calculating traditional features, a system can calculate the forward-backward string from the content of the packet header. With the new feature proposed, the classifier can obtain more information about the network flow to improve the accuracy of the detection system, but also improve the robustness against noise-injected C&C traffic.
URI: http://etd.lib.nctu.edu.tw/cdrfb3/record/nctu/#GT070456522
Appears in Collections:Thesis